CommonAPI: Escape HTML for chat messages.
This commit is contained in:
parent
6ace22b56a
commit
3d4eca5dd4
@ -17,6 +17,7 @@ defmodule Pleroma.Web.CommonAPI do
|
|||||||
alias Pleroma.Web.ActivityPub.Pipeline
|
alias Pleroma.Web.ActivityPub.Pipeline
|
||||||
alias Pleroma.Web.ActivityPub.Utils
|
alias Pleroma.Web.ActivityPub.Utils
|
||||||
alias Pleroma.Web.ActivityPub.Visibility
|
alias Pleroma.Web.ActivityPub.Visibility
|
||||||
|
alias Pleroma.Formatter
|
||||||
|
|
||||||
import Pleroma.Web.Gettext
|
import Pleroma.Web.Gettext
|
||||||
import Pleroma.Web.CommonAPI.Utils
|
import Pleroma.Web.CommonAPI.Utils
|
||||||
@ -28,7 +29,12 @@ def post_chat_message(%User{} = user, %User{} = recipient, content) do
|
|||||||
transaction =
|
transaction =
|
||||||
Repo.transaction(fn ->
|
Repo.transaction(fn ->
|
||||||
with {_, {:ok, chat_message_data, _meta}} <-
|
with {_, {:ok, chat_message_data, _meta}} <-
|
||||||
{:build_object, Builder.chat_message(user, recipient.ap_id, content)},
|
{:build_object,
|
||||||
|
Builder.chat_message(
|
||||||
|
user,
|
||||||
|
recipient.ap_id,
|
||||||
|
content |> Formatter.html_escape("text/plain")
|
||||||
|
)},
|
||||||
{_, {:ok, chat_message_object}} <-
|
{_, {:ok, chat_message_object}} <-
|
||||||
{:create_object, Object.create(chat_message_data)},
|
{:create_object, Object.create(chat_message_data)},
|
||||||
{_, {:ok, create_activity_data, _meta}} <-
|
{_, {:ok, create_activity_data, _meta}} <-
|
||||||
|
@ -27,7 +27,12 @@ test "it posts a chat message" do
|
|||||||
author = insert(:user)
|
author = insert(:user)
|
||||||
recipient = insert(:user)
|
recipient = insert(:user)
|
||||||
|
|
||||||
{:ok, activity} = CommonAPI.post_chat_message(author, recipient, "a test message")
|
{:ok, activity} =
|
||||||
|
CommonAPI.post_chat_message(
|
||||||
|
author,
|
||||||
|
recipient,
|
||||||
|
"a test message <script>alert('uuu')</script>"
|
||||||
|
)
|
||||||
|
|
||||||
assert activity.data["type"] == "Create"
|
assert activity.data["type"] == "Create"
|
||||||
assert activity.local
|
assert activity.local
|
||||||
@ -35,7 +40,9 @@ test "it posts a chat message" do
|
|||||||
|
|
||||||
assert object.data["type"] == "ChatMessage"
|
assert object.data["type"] == "ChatMessage"
|
||||||
assert object.data["to"] == [recipient.ap_id]
|
assert object.data["to"] == [recipient.ap_id]
|
||||||
assert object.data["content"] == "a test message"
|
|
||||||
|
assert object.data["content"] ==
|
||||||
|
"a test message <script>alert('uuu')</script>"
|
||||||
|
|
||||||
assert Chat.get(author.id, recipient.ap_id)
|
assert Chat.get(author.id, recipient.ap_id)
|
||||||
assert Chat.get(recipient.id, author.ap_id)
|
assert Chat.get(recipient.id, author.ap_id)
|
||||||
|
Loading…
Reference in New Issue
Block a user